On December 15, 2023, the Cyber Security Agency of Singapore (CSA) published a consultation paper on a draft Cybersecurity (Amendment) Bill 2023 (Bill).
Singapore’s Cybersecurity Act (Act) has been in force since 2018. With a rapidly changing cyber threat landscape, the Bill aims to update Singapore’s laws on cybersecurity and address the emerging challenges posed in cyberspace.
The provisions in the Bill will extend the coverage of Singapore’s cybersecurity laws to a broader group of entities, including:
- Computing vendors – Previously, only provider-owned critical information infrastructure (CII) would have been subject to the obligations under the Act. These include having to submit certain specified information to the CSA, being subject to regular audits and risk assessments, participating in cybersecurity exercises and reporting incidents. However, with the amendments proposed in the Bill, non-provider-owned CII that use computing vendors to deliver essential services will also be caught and subjected to the duties thereunder. In addition, the Bill will close operational gaps in the Act, such as clarifying that designated CII, even if located overseas entirely, will be bound by the obligations under the Bill.
- Foundational digital infrastructure – These refer to major providers of digital infrastructure that provide services of a foundational nature to Singapore, and which will be either designated or specified by the minister or commissioner. They could be services that promote the availability, latency, throughput or security of digital services in Singapore, or which the impairment or loss of service provisioning could lead to a disruption to a large number of businesses or organisations.
- Entities of special cybersecurity interest – These refer to entities that are especially attractive targets of malicious threats due to the sensitive data they possess, or functions performed, which if compromised could impact on the defence, foreign relations, economy, public health, public safety or public order of Singapore.
- Systems of temporary cybersecurity concern – These refer to systems that are critical to Singapore for a time-limited period, and which are susceptible to a high risk of cyberattacks during that period. One example is the systems set up specifically to support high-profile international events hosted in Singapore (e.g. the World Economic Forum), or the distribution of vaccines during the COVID-19 pandemic.
The consultation exercise will close on 15 January 2024.